Goss and DGoss

Goss is another YAML based tool for validating a server’s configuration. It's built in Go and can be used to test all kinds of systems from Virtual Machines to containers. Dgoss its a wrapper that facilitates the usage of Goss with containers.

It is very similar to "Container structure test" but with a bigger set of functions that allow you to verify stuff like services, users, packages, groups, and even HTTP endpoints. You can probably do that by writing your own commands, using Container Structure test, but goss provides these out of the box.

I think both are good options. I haven't tried Goss yet in practice. Experiment and see what you like more ;)

It's Ruby based and a lot more complex than Goss or Structure Test. It also requires many more dependencies. Nevertheless its a very powerful tool that you might want to check out.

Security Testing with Clair

A very important aspect that sometimes is forgotten when working with containers is security. Docker images still have an OS like Ubuntu or Alpine under the hood which might have software packages with known security vulnerabilities that need to be monitored and patched.

Clair is an open source project that helps to find these vulnerabilities in your docker images.

It contains a database that is updated at regular intervals so it can find the most recently discovered issues.

You can easily integrate it into your CI Pipeline to be notified on any vulnerability.

Recently I also discovered Anchore which is very similar but that besides its open source solution also provides an Enterprise solution with Dashboards and other things.

Keep your image sizes in control with Dive

Having small and optimized images is very important in order to have faster builds.

Dive is a very cool tool that allows you to explore a docker image, see its layers contents, and more.

It can help a lot to understand how your image layers are organized and find ways to shrink the size of your final image.

Even cooler, is that you can run it on your CI system and configure it to fail the build based on some metrics related to the size of the image.

Conclusion

In more traditional systems it´s not always easy and it can have a high cost in terms of time and resources.

With Docker and these tools, it's really simple and fast to implement some basic tests to guarantee that the required packages are installed, the specified ports are listening and the needed services are running.

Having these tests can give you extra confidence that the system as a whole will work as expected.

Do you know any other cool tool that I haven't mentioned in the article? Feel free to share.

Fantastic! I was looking for something like this. Hadolint is great but the one thing it doesn't do is checking labels. Which one of these tools do you find easiest to use alongside Hadolint to check for labels?